b"                            OFFICE OF\n                     THE INSPECTOR GENERAL\n\n\n                         U.S. NUCLEAR\n                    REGULATORY COMMISSION\n\n\n                      Accountability and Control Over\n                         NRC\xe2\x80\x99s Noncapitalized IT\n                               Equipment\n\n\n                       OIG-01-A-10         June 1, 2001\n\n\n\n\n                    AUDIT REPORT\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                               NRC\xe2\x80\x99s website at:\n                     http://www.nrc.gov/NRC/OIG/index.html\n\x0c                                             June 1, 2001\n\n\n\n\nMEMORANDUM TO:                William D. Travers\n                              Executive Director for Operations\n\n\n\nFROM:                         Stephen D. Dingbaum/RA/\n                              Assistant Inspector General for Audits\n\n\nSUBJECT:                      REVIEW OF ACCOUNTABILITY AND CONTROL OVER NRC\xe2\x80\x99S\n                              NONCAPITALIZED IT EQUIPMENT (OIG-01-10)\n\n\nAttached is the Office of the Inspector General\xe2\x80\x99s audit report titled, Review of Accountability and\nControl Over NRC\xe2\x80\x99s Noncapitalized IT Equipment.\n\nThis report reflects the results of our review of specific aspects of NRC\xe2\x80\x99s property management\nprogram. The review determined that NRC\xe2\x80\x99s property management policies adhere to\napplicable laws and regulations; however, management controls to implement these policies\nare inadequate or lacking. In addition, the computer system that functions as the official\ndatabase for the agency\xe2\x80\x99s property transactions contains inaccurate information. As a result,\nimproved management controls are needed to better safeguard agency equipment.\n\nAt an exit conference on May 22, 2001, NRC officials stated general agreement with the\nreport\xe2\x80\x99s findings and recommendations. They also suggested several report revisions, which\nwere incorporated where appropriate.\n\nIf you have any questions, please contact Tony Lipuma at 415-5910 or me at 415-5915.\n\nAttachments: As stated\n\ncc:     John Craig, OEDO\n\x0cR. McOsker, OCM/RAM\nB. Torres, ACMUI\nB. Garrick, ACNW\nD. Powers, ACRS\nJ. Larkins, ACRS/ACNW\nP. Bollwerk III, ASLBP\nK. Cyr, OGC\nJ. Cordes, OCAA\nS. Reiter, Acting CIO\nJ. Funches, CFO\nP. Rabideau, Deputy CFO\nJ. Dunn Lee, OIP\nD. Rathbun, OCA\nW. Beecher, OPA\nA. Vietti-Cook, SECY\nW. Kane, DEDR/OEDO\nC. Paperiello, DEDMRS/OEDO\nP. Norry, DEDM/OEDO\nM. Springer, ADM\nR. Borchardt, NRR\nG. Caputo, OI\nP. Bird, HR\nI. Little, SBCR\nM. Virgilio, NMSS\nS. Collins, NRR\nA. Thadani, RES\nP. Lohaus, OSP\nF. Congel, OE\nM. Federline, NMSS\nR. Zimmerman, RES\nJ. Johnson, NRR\nH. Miller, RI\nL. Reyes, RII\nJ. Dyer, RIII\nE. Merschoff, RIV\nOPA-RI\nOPA-RII\nOPA-RIII\nOPA-RIV\n\x0c                                         Accountability and Control Over NRC\xe2\x80\x99s Noncapitalized IT Equipment\n\n\nEXECUTIVE SUMMARY\n\n\n       BACKGROUND\n\n               Official U.S. Nuclear Regulatory Commission (NRC) property records are\n               maintained in an online interactive computer system that functions as the official\n               database for the agency\xe2\x80\x99s property transactions. The Division of Contracts and\n               Property Management, Office of Administration, manages the property and\n               supply system (PASS). PASS accounts for more than 27,000 pieces of\n               noncapitalized equipment1 with an acquisition cost of approximately $75 million.\n               Of these totals, noncapitalized information technology (IT) equipment is\n               approximately 16,000 pieces with an acquisition cost of approximately $51\n               million.\n\n       PURPOSE\n\n               The objectives of the audit were to determine whether the NRC\xe2\x80\x99s (1) policies\n               governing the accountability and control over agency noncapitalized IT\n               equipment adhere to applicable laws and regulations; (2) official database for\n               property transactions reflects accurate information for noncapitalized IT\n               equipment; and (3) property management program has adequate safeguards to\n               deter and prevent loss through fraud, waste or misuse.\n\n       RESULTS IN BRIEF\n\n               NRC\xe2\x80\x99s property management policies for noncapitalized IT equipment adhere to\n               applicable laws and regulations, such as the Federal Property Management\n               Regulations. However, management controls to implement these policies are\n               inadequate or lacking. Also, PASS contains inaccurate information and\n               improved management controls are needed to better safeguard agency\n               equipment.\n\n               PASS Data Is Not Accurate\n\n               Statistical projections show that PASS does not accurately reflect the location of\n               as many as 3,571 items of noncapitalized IT equipment (at headquarters and\n               Region I) costing approximately $8.38 million. Furthermore, 526 items of IT\n               equipment are missing from the Office of the Chief Information Officer\xe2\x80\x99s (OCIO)\n               mini-warehouse. PASS does not accurately reflect the location of noncapitalized\n               IT equipment because accountability of property custodians is limited.\n               Inaccurate location information in PASS (1) can result in the unnecessary\n               purchase of equipment, and (2) is a contributing cause for costly unofficial\n\n\n\n       1\n         Noncapitalized equipment represents NRC property (either in the agency\xe2\x80\x99s possession or\ncontractor-held) with an initial acquisition cost of less than $50,000.\n\n                                                  i\n\x0c                                            Accountability and Control Over NRC\xe2\x80\x99s Noncapitalized IT Equipment\n\n                supplemental property management systems. PASS location inaccuracies result\n                in a heightened potential for fraud and misuse of agency equipment.\n\n                Additionally, a comparison of the two PASS sensitive item designation fields\n                revealed a 15 percent error rate. A secondary sensitive item indicator is\n                inaccurate and inconsistent, placing accountability for sensitive items2 (including\n                81 laptop computers) in jeopardy and heightening the vulnerability of sensitive\n                equipment to fraud or misuse. As a result, NRC may not physically recover all\n                sensitive property assigned to employees that leave the agency.\n\n                Property Management Program Needs Improved Safeguards\n\n                NRC\xe2\x80\x99s management controls are not adequate or are lacking regarding (1)\n                Security Incident Reports3, (2) separated employees\xe2\x80\x99 PASS accounts, (3)\n                separation of duties, (4) physical inventory procedures, and (5) the Handbook for\n                Property Custodians. For example, only four Security Incident Reports were filed\n                since January 1999 despite the fact that 117 items are missing from the fiscal\n                year 2000 inventory. Additionally, 526 items, not subject to inventory, are\n                missing from the OCIO mini-warehouse. Without Security Incident Reports,\n                recovery of missing items is unlikely.\n\n        RECOMMENDATIONS\n\n                This report makes 14 recommendations to the Executive Director for Operations\n                to improve the property management program. Eight recommendations are\n                made to improve the accuracy of PASS information and six recommendations\n                address inadequate or lacking management controls.\n\n        AGENCY COMMENTS\n\n                At an exit conference on May 22, 2001, NRC officials stated general agreement\n                with the report\xe2\x80\x99s findings and recommendations. They also suggested several\n                report revisions which were incorporated where appropriate.\n\n\n\n\n        2\n           Equipment that is desirable for personal use and can be easily removed from the premises\n(e.g., laptop computers, cell phones).\n        3\n           Security Incident Reports are used to report missing/stolen property and serve as the basis for\nnotifying the OIG.\n\n\n\n                                                    ii\n\x0c                              Accountability and Control over NRC\xe2\x80\x99s Noncapitalized IT Equipment\n\n\nABBREVIATIONS AND ACRONYMS\n\n    ADM     Office of Administration\n    DCPM    Division of Contracts and Property Management\n    FY      Fiscal Year\n    GAO     U. S. General Accounting Office\n    IT      Information Technology\n    JFMIP   Joint Financial Management Improvement Program\n    MD      Management Directive\n    NRC     U. S. Nuclear Regulatory Commission\n    OCIO    Office of the Chief Information Officer\n    OIG     Office of the Inspector General\n    PASS    Property and Supply System\n    SIH     Sensitive Item Holders\n    SIR     Security Incident Report\n    UCL     Upper Confidence Limit\n\n\n\n\n                                       iii\n\x0c       Accountability and Control over NRC\xe2\x80\x99s Noncapitalized IT Equipment\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n              iv\n\x0c                                                  Accountability and Control Over NRC\xe2\x80\x99s Noncapitalized IT Equipment\n\n\nTABLE OF CONTENTS\n\n    EXECUTIVE SUMMARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i\n\n\n    ABBREVIATIONS AND ACRONYMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii\n\n\n    I. BACKGROUND . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1\n\n\n    II. PURPOSE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3\n\n\n    III. FINDINGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4\n\n\n              A. PASS DATA IS NOT ACCURATE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4\n              B. PROPERTY MANAGEMENT PROGRAM NEEDS IMPROVED SAFEGUARDS . . . . . . . 11\n\n\n    IV. OTHER RELATED MATTERS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16\n\n\n    V. CONSOLIDATED LIST OF RECOMMENDATIONS . . . . . . . . . . . . . . . . . . . . . . . . 17\n\n\n    VI. AGENCY COMMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19\n\n\n    APPENDIX\n\n\n    A.        SCOPE AND METHODOLOGY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21\n\n\n\n\n                                                             v\n\x0c       Accountability and Control Over NRC\xe2\x80\x99s Noncapitalized IT Equipment\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n               vi\n\x0c                                            Accountability and Control Over NRC\xe2\x80\x99s Noncapitalized IT Equipment\n\n\nI. BACKGROUND\n\n                 The Federal Property Management Regulations and other applicable laws and\n                 regulations require the U.S. Nuclear Regulatory Commission (NRC) to establish\n                 and apply standards and procedures for using and controlling property. The\n                 proper stewardship of Federal resources is an essential responsibility of agency\n                 managers and staff. Office of Management and Budget Circular A-123, revised,\n                 Management Accountability and Control, establishes guidance to improve the\n                 accountability and effectiveness of Federal programs by establishing, assessing,\n                 correcting, and reporting on management controls. An agency\xe2\x80\x99s internal controls\n                 (a subset of management controls) are used to prevent or detect unauthorized\n                 acquisition, use, or disposition of an agency\xe2\x80\x99s assets.\n\n                 NRC Management Directive (MD) 13.1, Property Management, revised October\n                 15, 1999, was issued to establish and apply standards and procedures for using\n                 and controlling property in accordance with applicable laws, regulations, and\n                 authoritative guidance. The MD describes organizational responsibilities and\n                 delegates authority to numerous agency executives. The MD includes an\n                 associated Handbook 13.1, Property Management, which contains guidelines\n                 and procedures to ensure that Government property is protected against waste,\n                 theft, or misuse. Additionally, in November 2000, NRC distributed its Handbook\n                 for Property Custodians,1 which contains additional responsibilities and guidance.\n                 The Division of Contracts and Property Management (DCPM), Office of\n                 Administration (ADM),\n                 manages NRC\xe2\x80\x99s property                  NRC Noncapitalized Equipment\n                 management program,\n                 including the property and\n                 supply system (PASS).                11,000\n                                                        Other\n                 As of August 2000, PASS\n                                                                                     16,000\n                 contained records for more                                       Information\n                 than 27,000 pieces of                                            Technology\n                 noncapitalized equipment\n                 with an acquisition cost of\n                 approximately $75 million.\n                 Of that total, noncapitalized information technology (IT) equipment is\n                 approximately 16,000 pieces with an acquisition cost of approximately $51\n                 million. PASS contains records for sensitive equipment,2 regardless of cost, and\n                 nonsensitive equipment having an acquisition cost of at least $300. NRC\n                 assigns a unique blue property tag number to all equipment recorded in PASS.\n                 Although not entered in PASS, nonsensitive equipment with an acquisition cost\n\n\n       1\n           This is a separate Handbook from that contained in MD 13.1.\n       2\n          Equipment that is desirable for personal use and can be easily removed from the premises\n(e.g., laptop computers, cell phones).\n\n\n\n                                                    1\n\x0c                                          Accountability and Control Over NRC\xe2\x80\x99s Noncapitalized IT Equipment\n\n               below $300 is assigned a red non-controlled NRC property tag. PASS calculates\n               depreciation3 for noncapitalized IT equipment by dividing acquisition cost by a\n               standard 5-year useful life. Once nonsensitive equipment has depreciated below\n               a $300 threshold, it is no longer counted in physical inventories at headquarters.\n               However, these records remain in PASS as long as the equipment is in use.\n\n\n                                         Location of Noncapitalized IT\n                                                  Equipment\n\n                                           5,520\n                                           Other\n\n\n\n                                                                       10,480\n                                                                        Headquarters\n\n\n\n\n               NRC conducts physical inventories of property every two years (see chart above\n               for location of 16,000 pieces of noncapitalized IT equipment) and periodically\n               reviews each region\xe2\x80\x99s property management program. Once an inventory is\n               completed, DCPM reconciles all discrepancies or missing items with PASS.\n               After reconciliation, the results are reported to NRC senior management.\n\n               Property custodians (ranging in grade from GG-7 to GG-15), located in individual\n               NRC offices, assist DCPM. Among other responsibilities, property custodians\n               manage and control the property assigned to their accounts by: (1) updating\n               records, (2) recovering property assigned to separating employees, (3) assisting\n               in locating missing property, and (4) participating in official inventories.\n\n\n\n\n       3\n         This internal PASS computation is performed to determine the $300 physical inventory\nthreshold and is not related to depreciation for financial statement purposes.\n\n\n\n                                                   2\n\x0c                                          Accountability and Control Over NRC\xe2\x80\x99s Noncapitalized IT Equipment\n\n\nII. PURPOSE\n\n               The objectives of the audit were to determine whether the NRC\xe2\x80\x99s (1) policies\n               governing the accountability and control over agency noncapitalized IT\n               equipment4 adhere to applicable laws and regulations; (2) official database for\n               property transactions reflects accurate information for noncapitalized IT\n               equipment; and (3) property management program has adequate safeguards to\n               deter and prevent loss through fraud, waste or misuse. Appendix A contains the\n               scope and methodology of this review.\n\n\n\n\n       4\n         Noncapitalized IT equipment represents NRC IT property (either in the agency\xe2\x80\x99s possession or\ncontractor-held) with an initial acquisition cost of less than $50,000.\n\n\n\n                                                  3\n\x0c                                           Accountability and Control Over NRC\xe2\x80\x99s Noncapitalized IT Equipment\n\n\nIII. FINDINGS\n\n                NRC\xe2\x80\x99s property management policies for noncapitalized IT equipment adhere to\n                applicable laws and regulations such as the Federal Property Management\n                Regulations. The agency\xe2\x80\x99s broad policies recognize the need for control\n                systems to safeguard property. However, PASS is not reliable because it\n                contains a high percentage of inaccurate information for noncapitalized IT\n                equipment location and sensitivity designation. Also, NRC\xe2\x80\x99s property\n                management program needs improved safeguards because management\n                controls either are inadequate or lacking. These conditions leave NRC\n                equipment susceptible to loss from fraud or misuse.\n\n        A. PASS DATA IS NOT ACCURATE\n\n                Statistical projections show that PASS does not accurately reflect the location of\n                as many as 3,571 items of noncapitalized IT equipment (at Headquarters and\n                Region I) costing approximately $8.38 million. In addition, a secondary\n                sensitivity indicator for noncapitalized IT equipment was inaccurate for 15\n                percent of sensitive items (at headquarters with an acquisition cost of less than\n                $10,000). The data is not accurate because PASS is not updated in a timely\n                manner, accountability for property custodians is limited, and one account\n                assigned to the Office of the Chief Information Officer (OCIO) is not adequately\n                controlled. In addition, PASS does not have the appropriate edit checks to\n                ensure the proper designation of sensitive items. As a result, (1) the system is\n                unreliable and several users have developed costly unofficial supplemental\n                property management systems (hereafter referred to as supplemental property\n                systems); and (2) sensitive equipment is at increased risk from loss or theft.\n\n                PASS Location Data\n\n                The Joint Financial Management Improvement Program (JFMIP)5 and NRC\n                internal guidance specifically address property accountability. In October 2000,\n                the JFMIP issued Property Management Systems Requirements, which explains\n                that capturing location is one function of a property management system.\n\n                NRC Handbook 13.1, Property Management, explains that PASS serves as the\n                official database for NRC property transactions and states:\n\n                        It is the policy of the U.S. Nuclear Regulatory Commission to manage\n                        and use property and supplies in its possession or its contractors\xe2\x80\x99\n                        possession effectively and efficiently and to provide sufficient controls to\n                        deter or eliminate loss through fraud, waste, or misuse.\n\n        5\n          JFMIP is a joint undertaking of the U.S. Department of the Treasury, the General Accounting\nOffice, the Office of Management and Budget, and the Office of Personnel Management, working with\nother agencies to improve financial management practices in Government.\n\n\n\n                                                   4\n\x0c                                                         Accountability and Control Over NRC\xe2\x80\x99s Noncapitalized IT Equipment\n\n                   Furthermore, ADM\xe2\x80\x99s fiscal year (FY) 2000 and FY 2001 Operating Plans include\n                   an effectiveness metric which requires that \xe2\x80\x9cAll property in the PASS database is\n                   accounted for.\xe2\x80\x9d\n\n                   PASS, however, does not accurately reflect the location for many noncapitalized\n                   IT equipment items. To assess location accuracy, the Office of the Inspector\n                   General (OIG) selected statistical samples from headquarters, Regions I and II,\n                   and two NRC contractors. Because NRC recently completed a physical\n                   inventory of PASS equipment, OIG generally based sample sizes on an\n                   anticipated error rate of no greater than 5 percent. OIG then inventoried the\n                   sample items at these locations. Unlike NRC\xe2\x80\x99s inventory, OIG\xe2\x80\x99s sample included\n                   nonsensitive equipment with a current value of less than $300. The sample\n                   inventory results showed that the error rates for headquarters and Region I\n                   exceeded the anticipated 5 percent rate.6 The results of the sample inventory\n                   are summarized in the table below.\n\n\n                                        Statistical Sample Inventory Results\n                                                                                                        ERRORS\n\n                                                                                                               UCL7 95%\n\n                                            Lot                                                                                    Approximate\n                                         Acquisition                                                                                Acquisition\n                                          Cost in                                                                                    Cost8 in\n                           Lot            Dollars         Sample           Number        Percent       Percent     Number            Dollars\n Location                  Size           (000's)         Size             of Errors     of Errors     of Lot      of Errors         (000's)\n\n                             (A)             (B)            (C)               (D)        (E)=(D)\xc3\xb7(C)     (F)       (G)=(A) x (F)    (H)= (B) x (F)\n\n Headquarters < $10,000     10,186          $14,456          250                    66        26.4        31.0            3,158           $4,481\n\n Headquarters \x18$10,000        294             6,507               14                4         28.6        54.0             159              3,514\n\n Region I < $10,000           800             1,180               50                11        22.0        31.6             253                373\n\n Region I \x18 $10,000                16              475            16                1           6.3       N/A9            N/A9                1210\n\n\n\n\n        6\n            PASS could not be used to determine an item\xe2\x80\x99s specific room location at Region II or at the two\ncontractors. Those locations maintain separate inventory systems to identify room locations within their\nfacilities.\n        7\n            UCL- Upper Confidence Limit\n        8\n            Represents the estimated acquisition cost associated with the projected number of errors in the\nlot.\n        9\n            Since the entire population of 16 items was tested, a projection is not applicable.\n        10\n             Actual Acquisition Cost of the one error\n\n\n\n                                                                       5\n\x0c                                    Accountability and Control Over NRC\xe2\x80\x99s Noncapitalized IT Equipment\n\nIn the table, \xe2\x80\x9cerror\xe2\x80\x9d means that the item is not physically located in the building\nand room number shown in PASS. At a 95 percent confidence level, the error\nrate for the population (Headquarters < $10,000) can be as high as 31 percent,\nwhich amounts to 3,158 errors with an associated acquisition cost of\napproximately $4.5 million.\n\nThe following bar chart shows the sample results for headquarters and Region I.\nThe error rate for each of the four populations exceeded the 5 percent\nanticipated error rate.\n\n\n                          Results of OIG's Sample Inventory\n                            at Headquarters and Region I\n                                                                               6.3%\n                     100.0%       26.4%          28.6%       22.0%\n       % of Sample\n\n\n\n\n                      80.0%\n                      60.0%                                                93.7%\n                                  73.6%          71.4%       78.0%\n                      40.0%\n                      20.0%\n                       0.0%\n                              Headquarters Headquarters Region I      Region I\n                               < $10,000   > or = $10,000 < $10,000   > or = $10,000\n\n                                       Noncapitalized IT Equipment\n\n                                          Found     Not Found\n\n\nThe initial results of NRC\xe2\x80\x99s FY 2000 inventory at headquarters showed a 20\npercent error rate, which is similar to our sample results for headquarters.\n\n       Equipment Is Missing From Mini-Warehouse\n\nOIG\xe2\x80\x99s sample inventory at headquarters highlighted problems with an IT\nequipment storage area that serves as a mini-warehouse. Old and new IT\nequipment frequently moves through the mini-warehouse as a result of\nexcessing and refresh activities. Because of the high activity in this room, OIG\nconducted additional inquiries and tests that revealed numerous missing items.\nSubsequently, the agency found some of the missing items. Photographs of the\nmini-warehouse during the testing are presented on the next page.\n\n\n\n\n                                             6\n\x0c                                               Accountability and Control Over NRC\xe2\x80\x99s Noncapitalized IT Equipment\n\n\n\n\n              System Units Stored in OCIO\xe2\x80\x99s mini-              Miscellaneous IT Equipment stored in\n              warehouse                                        OCIO\xe2\x80\x99s mini-warehouse\n\n\n                   Results of additional testing showed that:\n\n                           !        Eleven (11) laptop computers, reported in PASS as located in the\n                                    mini-warehouse, were not found. Two of these laptops were\n                                    subsequently found, leaving nine laptops (with an acquisition cost\n                                    of $26,938) as still missing.\n\n                           !        104 system units11 (with an acquisition cost of $327,441), reported\n                                    in PASS as located in the mini-warehouse, were not found.\n\n                           !        Thirteen (13) system units (with an acquisition cost of $19,794)\n                                    were found in the mini-warehouse, but were not shown in PASS\n                                    as located in the mini-warehouse.\n\n                   As of February 27, 2001, PASS showed the mini-warehouse as the location for\n                   526 items in an account assigned to the OCIO. NRC officials explained that a\n                   CIO HOLD account12 was established in May 2000 as a holding account for\n                   missing nonsensitive IT items. These items generally have a current value\n                   below $300 and are not part of the agency inventory under MD 13.1. Upon\n                   completion of the FY 2000 inventory, agency staff were to determine the status\n                   of the missing items by locating the items or preparing Report of Property for\n                   Survey forms (NRC Form 395).13 To date, this process has not been completed.\n\n\n        11\n             A system unit is occasionally referred to as a central processing unit.\n        12\n          The CIO HOLD account includes 50 of the 104 system units identified above as missing from\nthe mini-warehouse.\n        13\n           NRC Form 395 is used to determine financial liability, if any, for Government property that is\nlost, stolen, or damaged. It is also used to authorize adjustments to property records to reflect such\noccurrences.\n\n\n\n                                                        7\n\x0c                         Accountability and Control Over NRC\xe2\x80\x99s Noncapitalized IT Equipment\n\n       Accountability Of Property Custodians Is Limited\n\nA property management official advised that property custodians do not update\nPASS in a timely manner. Untimely updates to PASS result in inaccurate data.\nPrompt execution of property transfers helps ensure the accuracy of location and\nend user information in PASS. For example, three of the 11 laptop computers,\nmissing from the mini-warehouse, reportedly were identified in PASS awaiting\nacceptance by a property custodian for a range of 107 to 129 days. An OIG\nanalysis of property custodians\xe2\x80\x99 job descriptions, and elements and standards\nrevealed that most contain little or no language regarding property custodian\nduties. Thus, accountability as property custodians is limited.\n\n       Unreliable PASS Data Results In Supplemental Property Systems\n\nInaccurate location data diminishes the reliability of PASS, creates the perceived\nneed for supplemental property systems, and places NRC property at risk.\nSeveral end users developed supplemental property systems because PASS is\nunreliable and does not fully meet their needs. As a result, the agency maintains\nat least five of these costly systems. Since these systems are not integrated\nwith PASS, each property transaction is recorded twice, and additional effort\nwould be required to reconcile PASS with the supplemental property systems.\nAgency offices use these systems to verify PASS data, gain flexibility in\npreparing reports, and maintain supplemental data.\n\nNRC has established a Market Research Team to review upgrades and\nalternatives to PASS. Accordingly, OIG gave the agency a list of offices with\nsupplemental property systems and encouraged NRC to include representatives\nfrom these offices on the team.\n\nSensitive Equipment Designation\n\nPASS does not accurately reflect the sensitive item designations of\nnoncapitalized IT equipment, as required by the Handbook for Property\nCustodians. PASS sensitive item designations are inaccurate due to the\nabsence of appropriate controls. This condition jeopardizes accountability for\nsensitive items, particularly at separation clearance time.\n\nPASS contains two sensitive item designation fields. One field is based on a\nsensitive indicator box, which is checked to indicate whether the item is sensitive.\nAdditionally, the Handbook for Property Custodians requires a secondary\ndesignation, a SIH (Sensitive Item Holder) prefix, in the end user field. The\nsensitive item designations should be consistent for both fields (i.e., a box\nchecked should be accompanied by the SIH prefix).\n\nAn OIG comparison of the two fields revealed a 15 percent error rate for\nheadquarters noncapitalized IT equipment having an acquisition cost of less than\n$10,000. Of 579 items designated as sensitive (sensitive indicator box), 87\n\n\n\n                                 8\n\x0c                          Accountability and Control Over NRC\xe2\x80\x99s Noncapitalized IT Equipment\n\nitems did not contain the SIH prefix in the end user field. Eighty-one of the 87\nitems not designated properly were laptop computers. OIG provided a listing of\nthe 87 errors to an ADM official. The secondary sensitive item designation is\ninconsistent and incorrect because NRC has not implemented appropriate\ncontrols, such as edit checks, to detect errors.\n\nProperty custodians use the SIH designation to determine if sensitive equipment\nis assigned to a separating employee. Without the correct designation,\nseparating employees could leave the agency and not be held accountable for\nsensitive equipment in their possession.\n\nSummary\n\nLocation and sensitive item designation inaccuracies in PASS affect the reliability\nof PASS data. Inaccuracies result because (1) accountability for property\ncustodians is limited and (2) controls regarding sensitive item designations are\ninadequate or lacking.\n\nStatistical projections show that as many as 3,571 items of noncapitalized IT\nequipment at headquarters and Region I, costing approximately $8.38 million,\nare not physically located in the building and room number shown in PASS.\nFurthermore, 526 IT equipment items are missing from the OCIO mini-\nwarehouse. Inaccurate location information in PASS (1) can result in the\nunnecessary purchase of equipment, and (2) is a contributing cause for the\ncreation of costly supplemental property systems.\n\nAdditionally, a comparison of the two PASS sensitive item designation fields\nrevealed a 15 percent error rate. The sensitive item designation errors place\naccountability for sensitive items (including 81 laptop computers) in jeopardy,\nparticularly at separation clearance time. PASS inaccuracies (location and\nsensitivity designations) result in a heightened potential for fraud or misuse of\nagency equipment.\n\n\nRECOMMENDATIONS\n\nOIG recommends that the Executive Director for Operations:\n\n1.     Institute the use of annual property confirmations by end users to help\n       ensure the accuracy of PASS information.\n\n2.     Coordinate with NRC offices to establish and implement consistent\n       performance standards (i.e., Elements and Standards) for property\n       custodian/alternate property custodian duties.\n\n\n\n\n                                  9\n\x0c                       Accountability and Control Over NRC\xe2\x80\x99s Noncapitalized IT Equipment\n\n3.   Include representatives from offices with supplemental property systems\n     on the Market Research Team.\n\n4.   Distribute this audit report to all property custodians and their alternates.\n     The transmittal letter should emphasize the need to keep PASS\n     information current and accurate.\n\n5.   Develop an action plan with milestones to resolve equipment issues in\n     the CIO HOLD account. Each item in the account should be located and\n     PASS should be updated accordingly.\n\n6.   Resolve all discrepancies identified in OIG\xe2\x80\x99s sample inventory and tests\n     of the mini-warehouse and provide the OIG with the status of each item.\n\n7.   Design and implement appropriate quality controls to ensure the\n     accuracy of sensitive item designations in PASS.\n\n8.   Correct the 87 incorrect sensitive item designations in PASS.\n\n\n\n\n                               10\n\x0c                                            Accountability and Control Over NRC\xe2\x80\x99s Noncapitalized IT Equipment\n\n        B. PROPERTY MANAGEMENT PROGRAM NEEDS IMPROVED SAFEGUARDS\n\n\n                  NRC\xe2\x80\x99s property management program needs improved safeguards to deter and\n                  prevent loss through fraud or misuse. Specifically, NRC\xe2\x80\x99s management controls\n                  are not adequate or are lacking in the following areas:\n\n                          1.     Security Incident Reports,\n                          2.     Separated employees\xe2\x80\x99 PASS accounts,\n                          3.     Separation of duties,\n                          4.     Physical inventory procedures, and\n                          5.     Handbook for Property Custodians.\n\n                  These conditions result in a heightened potential for fraud or misuse of NRC\n                  equipment and the unlikely recovery of missing agency property.\n\n                  Security Incident Reports\n\n                  MD 13.1 requires that NRC provide sufficient controls over its equipment to deter\n                  or eliminate loss through fraud, waste or misuse. MD 13.1's Handbook requires\n                  agency employees to initiate a Security Incident Report (SIR) when a theft (loss)\n                  is suspected at headquarters.\n\n                  Agency staff completed only four SIRs14 since January 1, 1999, even though 187\n                  items were identified as missing. In October 2000, NRC reported 187 missing\n                  items out of 18,402 items during its FY 2000 inventory.15 As of March 6, 2001,\n                  70 of the 187 missing items were reportedly found, leaving a balance of 117\n                  missing items (including 27 laptop computers). Additionally, the agency\xe2\x80\x99s CIO\n                  HOLD account created in May 2000, includes 526 missing items (not subject to\n                  inventory) as of February 27, 2001.\n\n                  In October 2000, OIG served as facilitator in a meeting attended by\n                  representatives from DCPM, the Division of Facilities and Security, and the\n                  Property Survey Board.16 Meeting attendees agreed that agency guidance\n                  regarding lost or stolen NRC equipment is vague and requires revision. General\n                  agreement was reached that ADM representatives, in coordination with\n                  representatives of other interested offices, will rewrite the guidance in a simple,\n                  easy to follow, process-oriented style. OIG representatives emphasized a direct\n\n        14\n           Security Incident Reports are used to report missing/stolen property and serve as the basis for\nnotifying the OIG of such matters.\n        15\n             DCPM conducted the FY 2000 inventory from June through August 2000.\n        16\n        A three-member Board that determines financial liability, or release from liability, of\naccountable individuals for loss or damage to agency equipment.\n\n\n\n                                                    11\n\x0c                                           Accountability and Control Over NRC\xe2\x80\x99s Noncapitalized IT Equipment\n\n                correlation between the timeliness of notification and the likelihood of recovery of\n                lost or stolen equipment. Without an SIR, neither OIG nor the agency can\n                investigate lost or stolen property and recovery becomes unlikely. Many\n                opportunities to recover missing agency equipment have been lost because SIRs\n                were not prepared.\n\n                Separated Employees\xe2\x80\x99 PASS Accounts\n\n                To determine whether open accounts exist for separated employees, OIG\n                selected a judgmental sample of employees who separated during calendar\n                years 1998 through 2000 (40 of 642). The test revealed that PASS contains\n                open accounts for 29 of the 40 former employees (72.5 percent). Four of the 29\n                accounts contain active PASS equipment. One of the four accounts is for an\n                individual who separated in March 1999 and has 13 items in that account. The\n                agency has since advised that it has initiated action to (1) remove the names of\n                former NRC employees from PASS, and (2) locate and properly account for\n                active PASS equipment in separated employees\xe2\x80\x99 accounts.\n\n                The internal controls in this area need improvement to ensure that the PASS\n                System Administrator closes PASS accounts for all separated employees within\n                a reasonable time of their separation. Open PASS accounts for separated\n                employees also heightens the potential for fraud and misuse of agency\n                equipment. Those accounts can be used to hide lost or stolen equipment.\n\n                Separation Of Duties\n\n                NRC has not adequately separated responsibilities for property management\n                functions. These functions include inventory duties and a property custodian\xe2\x80\x99s\n                access to his/her own account. Separation of duties is a sound business\n                practice and is required by U.S. General Accounting Office (GAO) standards for\n                internal control. Inadequate separation of duties creates opportunities for fraud\n                and misuse of agency equipment.\n\n                GAO\xe2\x80\x99s Standards for Internal Control in the Federal Government, November\n                1999, provides that control activities17 include separation of duties. This control\n                activity is described as follows:\n\n                        Key duties and responsibilities need to be divided or segregated among\n                        different people to reduce the risk of error or fraud. This should include\n                        separating the responsibilities for authorizing transactions, processing\n                        and recording them, reviewing the transactions, and handling any related\n\n\n        17\n         Control activities are the policies, procedures, techniques, and mechanisms that enforce\nmanagement\xe2\x80\x99s directives. Control activities are an integral part of an agency\xe2\x80\x99s accountability for\nstewardship of government resources.\n\n\n\n                                                   12\n\x0c                         Accountability and Control Over NRC\xe2\x80\x99s Noncapitalized IT Equipment\n\n       assets. No one individual should control all key aspects of a transaction\n       or event.\n\nThus, property system administration and inventory control responsibilities must\nbe adequately separated. The PASS System Administrator controls the key\naspects of PASS transactions, participates in the conduct of NRC\xe2\x80\x99s physical\ninventory, prepares inventory discrepancy reports, and prepares reports on\ninventory results. As a result, the PASS System Administrator controls property\nsystem records and can conceal the location of missing equipment during an\ninventory.\n\nFurthermore, property custodians should not have access to their own PASS\naccounts, which contain equipment assigned to them. This access level, which\nis not addressed in agency guidance, allows individuals the opportunity to\nmanipulate their own PASS records and conceal the location of missing\nequipment.\n\nPhysical Inventory Procedures\n\nNRC procedures do not require accountability for all property in PASS.\nAlthough, ADM\xe2\x80\x99s FY 2001 Operating Plan requires accountability for all PASS\nproperty, approximately 6,900 equipment items are not controlled through the\ninventory process. NRC Handbook 13.1, states:\n\n       Once nonsensitive equipment has depreciated below the $300 threshold,\n       it will no longer be part of the property base for purposes of inventory.\n       However, as long as equipment is in use, the record will remain active in\n       PASS.\n\nAccording to DCPM, the FY 1998 inventory was the first inventory that used the\nMD 13.1 guidance. PASS contains approximately 6,900 nonsensitive equipment\nitems that have been depreciated below the agency\xe2\x80\x99s $300 threshold. Since\nDCPM excludes these items from the physical inventory, this property is not\nadequately controlled. For example, one OCIO property account includes 526\nmissing items, generally valued at less than $300 each.\n\nOnce equipment is no longer included as part of the physical inventory, there is\nincreased risk that the agency will lose control over such equipment. For\nexample, a system unit could be depreciated below $300 and would no longer be\ninventoried.\n\nHandbook For Property Custodians\n\nThe Handbook for Property Custodians and the NRC Handbook 13.1 contain\nsignificant responsibilities and guidance for property custodians. However, NRC\n\n\n\n\n                                 13\n\x0c                        Accountability and Control Over NRC\xe2\x80\x99s Noncapitalized IT Equipment\n\nHandbook 13.1 contains responsibilities and guidance not contained in the\nHandbook for Property Custodians.\n\nHandbook 13.1, provides the following responsibilities and guidance that are not\nfound in the Handbook for Property Custodians:\n\n       !      Assess available property and determine if it is fully used before\n              certifying new property requests.\n\n       !      Assist in locating missing equipment and providing purchase\n              documentation for any non-tagged equipment.\n\n       !      Additional responsibilities of regional property custodians:\n\n              [       Provide to DCPM, copies of receiving documents (showing\n                      model number, purchase date, and price) for NRC\n                      equipment.\n\n              [       Maintain custodial receipts (NRC Form 119) and records\n                      of sensitive NRC property.\n\n              [       Review appropriate excess property lists and recommend\n                      acquisition of excess property in lieu of purchase.\n\nBecause the duties of property custodians are not consolidated in a single\ndocument, the custodians may not be fully aware of or perform the full scope of\ntheir responsibilities.\n\nSummary\n\nNRC\xe2\x80\x99s property management program needs improved safeguards.\nManagement controls are inadequate or lacking in five areas: Security Incident\nReports, separated employees\xe2\x80\x99 PASS accounts, separation of duties, physical\ninventory procedures, and the Handbook for Property Custodians. As a result,\nNRC\xe2\x80\x99s noncapitalized IT equipment is susceptible to loss from fraud or misuse\nand the recovery of missing agency equipment is unlikely.\n\nRECOMMENDATIONS\n\nOIG recommends that the Executive Director for Operations:\n\n9.     Revise NRC Handbook 13.1 to clarify guidance regarding lost or stolen\n       equipment, and clearly explain when a Security Incident Report is\n       needed.\n\n\n\n\n                                14\n\x0c                       Accountability and Control Over NRC\xe2\x80\x99s Noncapitalized IT Equipment\n\n10.   Design and implement internal controls to ensure that the PASS accounts\n      for separated employees are closed within a reasonable time of their\n      separation from the agency.\n\n11.   Ensure that active equipment listed in separated employees\xe2\x80\x99 accounts is\n      reassigned or properly disposed of and that PASS records are updated\n      accordingly.\n\n12.   Separate property management duties, in particular, inventory duties and\n      a property custodian\xe2\x80\x99s access to his/her own account.\n\n13.   Include all nonsensitive equipment controlled in PASS (regardless of\n      current value) in the property base for inventory purposes.\n\n14.   Consolidate property custodian responsibilities and guidance from NRC\n      Handbook 13.1 into the Handbook for Property Custodians.\n\n\n\n\n                               15\n\x0c                                   Accountability and Control Over NRC\xe2\x80\x99s Noncapitalized IT Equipment\n\n\nIV. OTHER RELATED MATTERS\n\n    A. PROPERTY AND FINANCIAL MANAGEMENT SYSTEMS INTEGRATION\n\n          The JFMIP publication, Property Management Systems Requirements, notes\n          that \xe2\x80\x9cFinancial management systems must be designed with effective and\n          efficient interrelationships between software, hardware, personnel, procedures,\n          controls and data contained within the systems.\xe2\x80\x9d Furthermore, it states that the\n          design of such a system should eliminate unnecessary duplication of transaction\n          entry.\n\n          NRC is presently considering alternatives to PASS, which is not integrated with\n          the agency\xe2\x80\x99s financial system. This lack of integration results in duplicate\n          transaction entry: all transactions (property) are either considered expensed or\n          capitalized in PASS, and corresponding entries must also be made for the\n          financial system. As NRC works toward replacing the current property\n          management system, the time is opportune for the Office of the Chief Financial\n          Officer and ADM to work together to define user needs and procure a system\n          that has an efficient and effective interrelationship between the property and\n          financial systems.\n\n    B. STATUS OF REGION III\xe2\x80\x99S PROPERTY MANAGEMENT CORRECTIVE ACTIONS\n\n          In Region III\xe2\x80\x99s November 2000, Reasonable Assurance Statement, the Region\n          self-identified deficiencies in its property management program after an inventory\n          disclosed 16 missing computers, including 12 laptops. To mitigate property\n          management deficiencies, the Region prepared a corrective action plan. Region\n          III staff stated that they are making progress toward implementing the plan. The\n          Region issued a new Divisional Instruction (DI-9936), Property Management,\n          with an effective date of December 29, 2000. Additionally, a revised Regional\n          Procedure concerning property management was drafted and distributed to\n          regional staff for comment, and heightened attention is being given to complying\n          with property management policies. The Region is also in the process of filling\n          the property custodian vacancy. Furthermore, headquarters has scheduled a\n          physical inventory at Region III during FY 2001. Thus, reasonable action has\n          been taken or is in process to resolve property management deficiencies at\n          Region III.\n\n\n\n\n                                           16\n\x0c                                 Accountability and Control Over NRC\xe2\x80\x99s Noncapitalized IT Equipment\n\n\nV. CONSOLIDATED LIST OF RECOMMENDATIONS\n\n        OIG recommends that the Executive Director for Operations:\n\n        1.     Institute the use of annual property confirmations by end users to help\n               ensure the accuracy of PASS information.\n\n        2.     Coordinate with NRC offices to establish and implement consistent\n               performance standards (i.e., Elements and Standards) for property\n               custodian/alternate property custodian duties.\n\n        3.     Include representatives from offices with supplemental property systems\n               on the Market Research Team.\n\n        4.     Distribute this audit report to all property custodians and their alternates.\n               The transmittal letter should emphasize the need to keep PASS\n               information current and accurate.\n\n        5.     Develop an action plan with milestones to resolve equipment issues in\n               the CIO HOLD account. Each item in the account should be located and\n               PASS should be updated accordingly.\n\n        6.     Resolve all discrepancies identified in OIG\xe2\x80\x99s sample inventory and tests\n               of the mini-warehouse and provide the OIG with the status of each item.\n\n        7.     Design and implement appropriate quality controls to ensure the\n               accuracy of sensitive item designations in PASS.\n\n        8.     Correct the 87 incorrect sensitive item designations in PASS.\n\n        9.     Revise NRC Handbook 13.1 to clarify guidance regarding lost or stolen\n               equipment, and clearly explain when a Security Incident Report is\n               needed.\n\n        10.    Design and implement internal controls to ensure that PASS accounts for\n               separated employees are closed within a reasonable time of their\n               separation from the agency.\n\n        11.    Ensure that active equipment listed in separated employees\xe2\x80\x99 accounts is\n               reassigned or properly disposed of and that PASS records are updated\n               accordingly.\n\n        12.    Separate property management duties, in particular, inventory duties and\n               a property custodian\xe2\x80\x99s access to his/her own account.\n\n\n\n\n                                         17\n\x0c                       Accountability and Control Over NRC\xe2\x80\x99s Noncapitalized IT Equipment\n\n13.   Include all nonsensitive equipment controlled in PASS (regardless of\n      current value) in the property base for inventory purposes.\n\n14.   Consolidate property custodian responsibilities and guidance from NRC\n      Handbook 13.1 into the Handbook for Property Custodians.\n\n\n\n\n                               18\n\x0c                                Accountability and Control Over NRC\xe2\x80\x99s Noncapitalized IT Equipment\n\n\nIV. AGENCY COMMENTS\n\n        At an exit conference on May 22, 2001, NRC officials stated general agreement\n        with the report\xe2\x80\x99s findings and recommendations. They also suggested several\n        report revisions which were incorporated where appropriate.\n\n\n\n\n                                        19\n\x0c       Accountability and Control Over NRC\xe2\x80\x99s Noncapitalized IT Equipment\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n               20\n\x0c                                                                                              Appendix A\n                                        Accountability and Control over NRC\xe2\x80\x99s Noncapitalized IT Equipment\n\n\nSCOPE AND METHODOLOGY\n\n              To accomplish the audit objectives, the Office of the Inspector General (OIG)\n              reviewed and analyzed pertinent laws, regulations, authoritative guidance, and\n              prior U. S. Nuclear Regulatory Commission (NRC) OIG and U. S. General\n              Accounting Office reports. In addition, OIG identified, analyzed and compared\n              NRC guidance with the aforementioned criteria. OIG conducted interviews with\n              selected NRC officials to gain an understanding of NRC\xe2\x80\x99s property management\n              guidance and to determine current issues, problems, or known deficiencies. At\n              NRC headquarters, OIG interviewed personnel in the Offices of Administration,\n              Human Resources, Chief Financial Officer, Chief Information Officer, Nuclear\n              Materials Safety and Safeguards, Nuclear Reactor Regulation, Nuclear\n              Regulatory Research, and the General Counsel. OIG visited two Regional\n              offices and two contractors. We also interviewed personnel from all four\n              Regions.\n\n              OIG conducted tests to determine whether location and sensitive item\n              designation information maintained in the property and supply system (PASS) is\n              accurate. OIG selected a stratified random sample of noncapitalized information\n              technology equipment from PASS to physically verify location. OIG further\n              tested PASS location data for items (laptop computers and system units) located\n              in a mini-warehouse.1 Additionally, OIG compared selected data to determine\n              whether there is consistent designation of sensitive property in PASS.\n\n              Management controls related to the audit objectives were reviewed and\n              analyzed. Throughout the review, auditors were aware of the possibility or\n              existence of fraud, waste or misuse in the program. OIG conducted the audit in\n              accordance with Generally Accepted Government Auditing Standards from\n              August 2000 through March 2001.\n\n              The major contributors to this report were Anthony Lipuma, Team Leader;\n              Steven Zane, Audit Manager; Michael Steinberg, Senior Auditor; and Debra\n              Lipkey, Management Analyst.\n\n\n\n\n    1\n        The mini-warehouse is located in room O2A1 at headquarters.\n\n\n\n                                               21\n\x0c"